CVE-2026-10650
Resource Consumption in libwebsockets SSH Protocol Handler
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| warmcat | libwebsockets | to 4.5.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a flaw in the warmcat libwebsockets library up to version 4.5.8, specifically in the SSH Protocol Handler component. It affects the function lws_ssh_parse_plaintext in the file plugins/protocol_lws_ssh_base/sshd.c. By manipulating the argument msg_len, an attacker can cause excessive resource consumption. The attack can be launched remotely, and an exploit for this vulnerability has been published.
A patch identified as 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498 is available to fix this issue.
How can this vulnerability impact me? :
This vulnerability can lead to resource consumption on the affected system, which may degrade performance or cause denial of service conditions. Since the attack can be performed remotely without authentication, it poses a risk of disrupting services that rely on the vulnerable libwebsockets SSH Protocol Handler.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should apply the patch identified as 3f9f0c6ecaf0e6f3f219d30632c5d1f2479d7498 to the affected libwebsockets component.
This patch addresses the flaw in the lws_ssh_parse_plaintext function of the SSH Protocol Handler, preventing resource consumption attacks.